This document provides an overview of NIST Special Publication 800-37, which outlines the Risk Management Framework (RMF) for federal agencies. The RMF is a cyclical process for assessing and managing risk to systems and organizations on an ongoing basis. It includes seven steps: (1) prepare the organization; (2) categorize systems and data; (3) select controls; (4) implement controls; (5) assess controls; (6) authorize systems; and (7) monitor systems. The RMF takes a system lifecycle approach and requires coordination between information security and privacy programs to effectively manage risk.

1. NIST Special Publication
800-37
1

2. INTRODUCTION
 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 revision
2 is a Risk Management Framework for Information Systems and Organizations: A System
Lifecycle Approach for Security and Privacy.
The goal of the RMF is to prepare organizations to execute appropriate risk management
activities through a life cycle. The framework also provides a cyber security roadmap to provide
near real-time risk management on information systems with a decision tree supporting privacy
and security.
 The Special Publication is inline with the Office of Management and Budget (OMB)
requirements, specifically the OMB circular a-130.
2

3. INTRODUCTION (Cont’d)
 Roles and responsibilities and a Summary of RMF Tasks can also be found in NIST SP 800-37
revision 2 to establish accountability and responsibility for controls within an organization’s
information systems.
3

4. ORGANIZATION-WIDE RISK
MANAGEMENT
 Managing information system-related security and privacy risk is a complex undertaking that
requires the involvement of the entire organization—from senior leaders providing the strategic
vision and top-level goals and objectives for the organization, to mid-level leaders planning,
executing, and managing projects, to individuals developing, implementing, operating, and
maintaining the systems supporting the organization’s missions and business functions.
 Without adequate risk management preparation at the organizational level, security and
privacy activities can become too costly, demand too many skilled security and privacy
professionals, and produce ineffective solutions.
4

5. ORGANIZATION-WIDE RISK
MANAGEMENT (Cont’d)
 Figure 1 illustrates a multi-
level approach to risk
management that addresses
security and privacy risk at
the organization level, the
mission/business process
level, and the information
system level.
 Communication and
reporting are bi-directional
information flows across the
three levels to ensure that
risk is addressed throughout
the organization.
5

6. RISK MANAGEMENT FRAMEWORK STEPS
AND STRUCTURE
6

7. RISK MANAGEMENT FRAMEWORK STEPS
AND STRUCTURE ( Cont’d)
 There are seven steps in the RMF; a preparatory step to ensure that organizations are ready to
execute the process and six main steps.
 After completing the tasks in the Prepare step, organizations executing the RMF for the first
time for a system or set of common controls typically carry out the remaining steps in sequential
order.
 However, there could be many points in the risk management process where there is a need to
diverge from the sequential order due to the type of system, risk decisions made by senior
leadership, or to allow for iterative cycles between tasks or revisiting of tasks
7

8. INFORMATION SECURITY AND PRIVACY
IN THE RMF
 To be effective, the RMF requires an information security program as well as a privacy
program.
 Privacy programs ensure compliance with control frameworks that are used to protect
Personally Identifiable Information (PII). The RMF is only effective when both information
security and privacy programs are working together.
An example of this is when information systems are processing PII. Both the information
security program and the privacy program are responsible to safeguard the information. If either
stand-alone, information security is compromised.
8

9. INFORMATION SECURITY AND PRIVACY
IN THE RMF (Cont’d)
 [OMB A-130] defines a privacy control as an administrative, technical, or physical safeguard
employed within an agency to ensure compliance with applicable privacy requirements and to
manage privacy risks.
 A privacy control is different from a security control, which the Circular defines as a safeguard
or countermeasure prescribed for an information system or an organization to protect the
confidentiality, integrity, and availability of the system and its information.
9

10. SYSTEM AND SYSTEM ELEMENTS
 Think of the RMF elements as an environment of operation. There are specific boundaries and
systems elements that are authorized to function within a boundary. Granted, there are other
systems outside the authorization boundary that feed information in as well as information
going out. What matters is that the authorization boundaries are clearly defined by:
• Supporting business functions
• Have the same security and privacy requirements
• Process, store, and transmit similar types of data
• Reside in the same operating environment.
 Figure in the next slide.
10

11. SYSTEM AND SYSTEM ELEMENTS (
Cont’d)
11

12. AUTHORIZATION BOUNDARIES
 Establishing meaningful authorization boundaries for systems and common controls is one of the
most important risk management activities carried out by an organization.
 The authorization boundary defines the specific scope of an authorizing official’s responsibility and
accountability for protecting information resources and individuals’ privacy
 Including the use of systems, components, and services from external providers. Establishment of
meaningful authorization boundaries is a foundation for assuring mission and business success for the
organization.
Organizations have flexibility in determining what constitutes the authorization boundary for a
system.
12

13. REQUIREMENTS AND CONTROLS
 A requirement tells someone what needs to be done while a control tells someone how to do it.
Requirements in the RMF encompass legal, cyber, systems, and data.
A common control catalog framework to use as a reference is the NIST Cyber Security Framework
(NIST CSF). Controls describe the approach to obtain organizational objectives. Controls often contain
the technical aspects paired with the parameters of implementation.
 Security and privacy requirements and risks identified by the organization, lead to the need for
security and privacy controls to respond to the risk. The controls selected by the organization
subsequently lead to both specification requirements and statement of work requirements in
the systems engineering context.
13

14. SECURITY AND PRIVACY POSTURE
The security and privacy posture must outline the status of the information system and prove
the management, health, and defensibility of the system.
The organization must also prove that they can manage privacy risk, prevent tampering, and
react to changes in organization or system.
The security and privacy posture of information systems and organizations is determined on an
ongoing basis by assessing and continuously monitoring system-specific, hybrid, and common
controls.
14

15. SUPPLY CHAIN RISK MANAGEMENT
In the new age of supply chain risk management (SCRM), organizations are responsible for the
cyber security posture of their suppliers.
The responsibility extends as far as a potential risk might impact the organization or
organizational data. Organizations are growing more dependent on a supply chain for goods and
services that they no longer make themselves.
The global economy has made sourcing incredibly easy but also exposed it to untrustworthy
suppliers. A well-developed SCRM is imperative to combat the presence of third party risk.
 Think of SCRM as a system life cycle approach. Only in working together can the RMF and
SCRM mitigate the overall risk contained in the supply chain.
15

16. EXECUTING THE RISK MANAGEMENT
FRAMEWORK TASKS
1. Prepare the organization for the RMF by establishing context and priorities for managing
security and privacy risk.
2. Categorize the information systems and data.
3. Select the controls that the systems and data need to reduce risk.
4. Implement the controls and describe how the controls impact the system and data.
5. Assess the controls to verify they are performing as intended.
6. Authorize the common controls based on ongoing risk assessments.
16

17. Cont’d
7. Monitor the systems and controls on an ongoing basis.
 The RMF utilizes an SDLC approach to ensure that security and privacy requirements are
followed for information systems and an organization.
Information Technology and Security play a large role in bringing privacy requirements to
implementation through privacy controls.
17